oholecek_FTNT
Description
In the context of an email message delivery, "relaying" refers to the operation when an email message is being sent to the destination which is not "local" (GMail, Yahoo, other company, etc.).

By default, FortiMail unit does not accept emails for any other domain than is locally configured (see the “Mail Settings » Domains” menu). Otherwise, SPAM senders would be able to abuse this functionality, to send unsolicited emails without the approval of the FortiMail unit owner.

Scope
FortiMail
Solution
Frequently, company needs to allow it's internal users to send emails to any remote server.
 
There are two ways, how to achieve this on a FortiMail system:
 
1. Create an Access Control policy to specify the IP address and/or email addresses that are allowed to relay emails.
2. Allow relaying from authenticated users.
 
 
Solution 1: Create an Access Control policy
 
In the web admin GUI, navigate to “Policy » Access control” menu, create a new "Receiving Policy" and modify following fields:
  • Sender pattern: Internal
  • Recipient pattern: External
  • Sender IP/netmask: User defined: IP range of your internal network
  • Action: RELAY

oholecek_FD34091_receiving-access-policy.jpg

With this policy in place, FortiMail unit will accept and forward all email messages, sent by users from the specified internal network (10.0.0.0/8 in this example), where the email sender belongs to the locally configured domain.
 
 
Solution 2: Allow relaying from authenticated users
 
When an authentication profile is created and used in “Policies » Policies » IP Policies” or “Policies » Policies » Recipient Policies” menu, all users who can successfully authenticate will be able to send any email message. For authentication to work properly, there needs to be a backend server in the internal network that is able to verify provided usernames and passwords. In this simple example, an SMTP authentication is used.

To create authentication profile, verified by the internal SMTP server, in the web admin GUI navigate to “Profile » Authentication” menu, and enter the new profile as follows:

  • Profile name: choose a name of the new profile
  • Server name/IP: fill the IP address of your internal SMTP server that supports SMTP authentication

oholecek_FD34091_profile-authentication.jpg

Then, apply this profile in “Policies » Policies » IP Policies” or “Policies » Policies » Recipient Policies” menu, and enable “Use for SMTP authentication” checkbox.

oholecek_FD34091_policies-authentication.jpg

From now on, every user, whose credentials are verified by the internal SMTP server, can send any email.


Contributors